History and Evolution of Mac Ransomware

Never before has Mac OS X been as heavily targeted by cybercriminals as now. Whereas infections like browser hijackers and ad-serving malware aren’t newcomers on the Mac arena, crypto ransomware appears to be making first baby steps toward the invasion of this huge niche. The term denotes a cluster of malicious programs that stealthily infiltrate into computers, encode the victim’s personal files and extort money, usually Bitcoins, in exchange for a secret decryption key.

Windows users have been suffering from file-encrypting Trojan assaults for years, with the early incidents recorded back in 2011. As opposed to that, Apple’s strong focus on code verification and elaborate security mechanisms held back the nastiest of attacks. Maintaining the status quo, however, turned out to be a nontrivial challenge. Ironically enough, it is white hat researchers who pioneered in creating Mac ransomware, and perpetrators simply followed suit.

A Wake-Up Call

In November 2015, a Brazilian security enthusiast Rafael Salema Marques demonstrated that Mac OS X isn’t bulletproof against ransomware plagues. He spread the word about his proof-of-concept where a program he dubbed Mabouia was able to get around the defenses of a Mac machine and wreak havoc with files in a matter of minutes. The PoC infection is written in C++ and applies 32 rounds of XTEA block cipher to encrypt data and thereby render it inaccessible. Just like real-world ransomware, it generates a 128-bit private key, transmits it to a C2 server and recommends a sleek recovery service requiring a fee.

Marques also added some ransom pricing flexibility to the mix, playfully offering three different payment models to hypothetical targets. The “Not as Important Plan” implies the decryption of 20 files and a handshake for $50; the “Important Plan” presupposes the recovery of 100 files plus a hug for $70, and the “VIP Plan” guarantees the decoding of all files and a kiss as a bonus for $100. All of the above go with “lifetime support” which is particularly funny.

Mabouia is executed when a Mac user extracts a ZIP archive, which can be delivered over a phishing email disguised as a missed delivery notification, a payroll or similar eye-catching subject. Since the app only targets files stored in the User folder, it can do without elevated privileges to make changes to data.

All in all, this PoC should have raised some flags because it was the first viable crypto malware tailored for Mac. The author provided his full code to Apple and Symantec so that the security researchers could prep countermeasures for likely attacks that aren’t purely educational. The lesson, however, hasn’t been learned, and the bad guys ended up outsmarting the industry.

The Menace Gets Loose

Things started getting out of hand as the first real-world Mac ransomware emerged in early March 2016. Referred to as KeRanger, the strain initially circulated over a poisoned downloader of Transmission 2.90, an edition of a popular open-source BitTorrent client compatible with Mac OS X. The hackers had managed to compromise the official Transmission web page and replace the legit application’s DMG file with a malicious loader. Consequently, everyone who installed the aforementioned version ended up catching the ransomware.

Unimpeded distribution of the KeRanger app stemmed from the fact that it was signed with a valid Mac developer certificate. Apple’s Gatekeeper, therefore, didn’t identify or block it on the early stage of the campaign. For some reason, the infection remains in a dormant state for three days after its code is executed on a target Mac box. Then, it traverses the hard drive in order to spot files matching a certain predefined range of extensions. It looks for personal documents, images, videos, databases and other potentially important data. KeRanger continues the onslaught by reaching out to its Command & Control via The Onion Router technology and obtaining a unique encryption key. The victim’s files ultimately become encrypted with 2048-bit RSA algorithm. This crypto is asymmetric, which means that the criminals’ server is the only place keeping the private decryption key.

The ransomware displays a document named README_FOR_DECRYPT.txt, which instructs the infected Mac user on how to recover the data. In particular, the victim needs to send 1 BTC, or around $400, to redeem what’s locked. KeRanger operators only accept Bitcoins, because it guarantees the anonymity of payment transactions and helps them evade tracking by the law enforcement. To prove that the deal is real, the scammers can decrypt one file for free.

To their credit, Apple withdrew the rogue app development certificate shortly after the malicious campaign commenced. KeRanger in its original form and shape is, therefore, unable to bypass Gatekeeper and run on Mac machines at this point. The vendor of the Transmission applet promptly adopted measures as well, cleaning up their website from malware and posting a notification about the necessity of an immediate upgrade to a safe version 2.92. And yet, the fact that the incident took place keeps a question mark hanging over the efficiency of ransomware response mechanisms.

Evolution of Mac Ransomware

In fact, there are other breeds of Mac ransomware at large, but those are browser lockers rather than crypto viruses, and the damage isn’t nearly as high. The infamous FBI MoneyPak malware affects Safari on infected Macs by displaying a persistent page that impersonates the FBI. The warning message contains false accusations of illegal user activity such as a violation of copyright and distribution of prohibited adult content. It also says that all file were encrypted, but that’s total bluff. All it takes to resolve the issue is reset Safari.

As opposed to ridiculously primitive browser lockers, the Mabouia proof-of-concept and KeRanger are the first samples of Mac ransomware code that actually encrypts victims’ files. As it turned out, Apple’s security barriers aren’t much of an insurmountable obstacle for cybercriminals. This obvious progress in attack vectors and techniques gives us a glimpse of what the future holds: ransomware like Locky may start targeting Mac OS X and will quite likely become a number one security concern for Mac aficionados in the near future.

About David Balaban

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.